Get the latest security news in your inbox.

Empire is an open source post-exploitation framework that acts as a capable backdoor on infected systems. It provides a management platform for infected machines. Empire can deploy PowerShell and Python agents to infect both Windows and Linux systems.

Empire can:

Deploy fileless agents to perform command and control.

Exploit vulnerabilities to escalate privileges.

Install itself for persistence.

Steal user credentials.

It has also evolved to support the initial attack phases of an attack, and can create malicious documents to deploy its agent.

Empire’s features are classified into listeners, stagers and modules. Below, we describe how AlienVault USM can detect these stages below on a Windows target.

Staging

Empire first attempts to deploy an agent using one of multiple stager modules. USM will generically detect the agent after Powershell is invoked with an encoded payload. Commands executed with encoded arguments are commonly used by attackers as an obfuscation technique, so they produce the USM alert ‘Defense Evasion - Obfuscated Command - Powershell Execution of Encoded Command’:

This alert detects most Empire stagers on Windows, when they use Powershell to execute an encoded command.

An alternative for an attacker is to craft an Office document with a macro, which will execute the agent command by running a crafted Windows process from the WMI Service:

Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

Set objStartup = objWMIService.Get("Win32_ProcessStartup")

Set objConfig = objStartup.SpawnInstance_

objConfig.ShowWindow = 0

Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")

objProcess.Create str, Null, objConfig, intProcessID

When the macro runs, the Windows Management Instrumentation Command will create a new process. USM will listen the Windows events to detect the WMIC call, commonly used in lateral movement scenarios. The ‘Lateral Movement - Remote WMIC Activity’ alert will raise displaying the malicious Powershell command:

Another way for an attacker to implant the Empire agent into their victims machine is to create a HTML Application using the Empire module windows/hta. In weak security configuration system, a simple spear phishing mail with a link to the crafted HTML application will be enough to get the agent running.

For each alert, the USM provides detailed information about the nature of the issue and useful recommendations for the security staff to follow:

As this is a common technique for installing malware, USM identifies applications such as Powershell executed by HTML Applications. In this instance, USM creates an alarm for ‘Code Execution - Suspicious Process Created by mshta.exe’:

Escalating Privileges

After infection, the attacker will try to escalate privileges. For that, they can use one of the ‘privesc’ Empire modules.

One of the most dangerous will try to bypass Windows UAC by abusing the native Event Viewer. When Event Viewer runs, it tries to execute mmc.exe from HKCU\Software\Classes\mscfile\shell\open\command registry. Thus, an attacker can use that location to place a process that will run with high level integrity.

Trying this would result in a registry key hijack attempt, that is detected by AlienVault agent and deployed in USM with a ‘Privilege Escalation - Windows UAC Bypass’ alert:

Empire C&C

The Empire agent will access the network through a crafted powershell command. Although this command combines a number of obfuscation techniques (such as case switching) and Base64 encoding, some features in its structure are invariant and allow for detection.

When the decoded command is registered by ‘Windows Powershell Login Channel’ and sent to the USM engine, it will trigger a ‘Hacking Tool - Powershell Empire agent CnC activity’ alert announcing that Empire has been detected on the machine:

Other features

The Empire framework also provides several modules to enable persistence on the infected machine such as: scheduled tasks, a number of registry keys, or WMI event subscriptions.

USM Anywhere alerts of each scheduled task with a low priority alarm:

These alerts provide full information about the task content, responsible user, and other key data.

To steal system credentials, an attacker can also rely on Empire modules. The mimikatz module can operate after a high privileges agent is installed in the victim’s machine. Executing mimikatz leverages an iterative file listing process easy to detect with USM:

About the Author:Jose Manuel MartinJose is a Security Researcher and a part of the AlienVault Labs team. His interest in development led Jose to work as an Application Security Engineer and Scrum Master in the past. Nowadays he enjoys watching old-fashioned movies, researching threat models, and finding new mechanisms to detect malware. Also, he is an enthusiast of information theory and physics.
Read more posts from Jose Manuel Martin ›